domenic at domenicdenicola.com (2013-10-13T02:20:00.208Z)
Actually, for this, confine isn't quite what you want, since you're
providing the entire extensible virtual global. (The confine function's
second argument is just the additions to the default powerless virtual
global.) You want compileExpr from
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#783 or the similar compileModule. To avoid the need for even mild translation,
I rephrased your example to assign to the bar property of the
pseudo-top-level "this".
```
> var env = {foo: 1};
undefined
> cajaVM.compileExpr('this.bar = foo+1')(env);
2
> env.bar
2
```
With mild translation (see the rewriteTopLevelVars mitigation option), you
could use compileModule instead and have your original source string appear
as you wrote it. Such mitigation unfortunately requires a full parser, and
so is only available when SES is bundled with https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/mitigateGotchas.js. Caja does bundle these together.
ES6 module loaders will make much of this mechanism unnecessary, while
still enabling us to continue to support old SES code that uses the current
API.
Actually, for this, confine isn't quite what you want, since you're providing the entire extensible virtual global. (The confine function's second argument is just the additions to the default powerless virtual global.) You want compileExpr from < https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#783> or the similar compileModule. To avoid the need for even mild translation, I rephrased your example to assign to the bar property of the pseudo-top-level "this". > var env = {foo: 1}; undefined > cajaVM.compileExpr('this.bar = foo+1')(env); 2 > env.bar 2 With mild translation (see the rewriteTopLevelVars mitigation option), you could use compileModule instead and have your original source string appear as you wrote it. Such mitigation unfortunately requires a full parser, and so is only available when SES is bundled with < https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/mitigateGotchas.js>. Caja does bundle these together. ES6 module loaders will make much of this mechanism unnecessary, while still enabling us to continue to support old SES code that uses the current API. On Sat, Sep 28, 2013 at 5:53 PM, Mark S. Miller <erights at google.com> wrote: > On Sat, Sep 28, 2013 at 2:49 PM, Axel Rauschmayer <axel at rauschma.de>wrote: > >> Has this feature ever been considered? >> >> For example: >> >> ``` >> $ var env = { __proto__: window, foo: 1 }; >> $ eval('var bar = foo+1', env); >> $ env.bar >> 2 >> ``` >> > > See the "confine" function at < > https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#855>, > also documented in section 2.3 of < > http://research.google.com/pubs/pub40673.html>. > > > >> >> Useful for writing interpreters and more convenient for interacting with >> evaluated code than improvising something equivalent via `Function`. >> >> Axel >> >> -- >> Dr. Axel Rauschmayer >> axel at rauschma.de >> >> home: rauschma.de >> twitter: twitter.com/rauschma >> blog: 2ality.com >> >> >> _______________________________________________ >> es-discuss mailing list >> es-discuss at mozilla.org >> https://mail.mozilla.org/listinfo/es-discuss >> >> > > > -- > Cheers, > --MarkM > -- Cheers, --MarkM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130928/1b369c29/attachment.html>